Error creating launcher form: Unknown OpenSSL error

[kcleal]

Hi,
Im using macOS big sur 11.7.1. Ive tried installing xpra using the mac installer or via brew and am using xpra version 4.4.3-r1, and OpenSSL 3.0.7 1 Nov 2022. I cant seem to start xpra attach. I keep running into this error:

xpra attach

(Xpra:42877): Gtk-CRITICAL **: 09:27:06.663: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2022-12-02 09:27:06,825 Xpra GTK3 client version 4.4.3-r1 64-bit
2022-12-02 09:27:06,855  running on Mac OS X 10.16
2022-12-02 09:27:09,388 GStreamer version 1.20.3
xpra main error:
Traceback (most recent call last):
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 142, in main
    return run_mode(script_file, cmdline, err, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 451, in run_mode
    return do_run_mode(script_file, cmdline, error_cb, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 495, in do_run_mode
    return run_client(script_file, cmdline, error_cb, options, args, mode)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1236, in run_client
    app = get_client_app(script_file, cmdline, error_cb, opts, extra_args, mode)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1401, in get_client_app
    app = get_client_gui_app(error_cb, opts, request_mode, extra_args, mode)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1437, in get_client_gui_app
    app.init(opts)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/client/gtk_base/gtk_client_base.py", line 131, in init
    UIXpraClient.init(self, opts)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/client/ui_client_base.py", line 177, in init
    c.init(self, opts)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/client/mixins/network_listener.py", line 50, in init
    self.sockets = create_sockets(opts, err)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/net/socket_util.py", line 320, in create_sockets
    import paramiko
  File "paramiko/__init__.pyc", line 22, in <module>
  File "paramiko/transport.pyc", line 132, in <module>
  File "paramiko/transport.pyc", line 206, in Transport
  File "paramiko/kex_curve25519.pyc", line 30, in is_available
  File "cryptography/hazmat/primitives/asymmetric/x25519.pyc", line 39, in generate
  File "cryptography/hazmat/backends/openssl/__init__.pyc", line 6, in <module>
  File "cryptography/hazmat/backends/openssl/backend.pyc", line 63, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 228, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 188, in init_static_locks
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 176, in _ensure_ffi_initialized
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 90, in _openssl_assert
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=126353445, lib=15, reason=524325, reason_text=b'error:07880025:common libcrypto routines::reason(524325)')])

I also get the same error when using the xpra user-interface. Thanks

[creuzige]

Same error, same OS, but I have things in a conda env where the openssl version is 1.1.1s and cryptography version is 38.0.4.

[totaam]

Something must have gone wrong with the upgrade to openssl 3.x and / or the packaging of python-cryptography.

I will investigate asap but I won't have access to my MacOS test env for a few days.

[creuzige]

Thanks for the update. I'm willing to try things out if that would be useful too.
Thanks!

[totaam]

@creuzige running with --ssh-upgrade=no should bypass this problem.

xpra/xpra/net/socket_util.py

Lines 329 to 335 in 299fa4e

	ssh_upgrades = opts.ssh_upgrade
	if ssh_upgrades:
	try:
	from xpra.net.ssh.util import nogssapi_context
	with nogssapi_context():
	import paramiko
	assert paramiko

[creuzige]

As suggested I ran with --ssh-upgrade=no, and got a slightly different error message:

(Xpra:54706): Gtk-CRITICAL **: 15:29:14.978: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2022-12-02 15:29:15,312 Xpra GTK3 client version 4.4.3-r1 64-bit
2022-12-02 15:29:15,341  running on Mac OS X 10.16
2022-12-02 15:29:18,581 GStreamer version 1.20.3
2022-12-02 15:33:54,508 created unix domain socket '/Users/creuzige/.xpra/clients/PN118888.local-54706'
2022-12-02 15:33:54,726 OpenGL_accelerate module loaded
2022-12-02 15:33:54,756 Using accelerated ArrayDatatype
2022-12-02 15:33:55,339 OpenGL enabled on 'AMD Radeon Pro 5300M OpenGL Engine'
2022-12-02 15:33:55,617 removing unix domain socket '/Users/creuzige/.xpra/clients/PN118888.local-54706'
xpra main error:
Traceback (most recent call last):
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 142, in main
    return run_mode(script_file, cmdline, err, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 451, in run_mode
    return do_run_mode(script_file, cmdline, error_cb, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 495, in do_run_mode
    return run_client(script_file, cmdline, error_cb, options, args, mode)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1236, in run_client
    app = get_client_app(script_file, cmdline, error_cb, opts, extra_args, mode)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1410, in get_client_app
    display_desc = do_pick_display(dotxpra, error_cb, opts, extra_args, cmdline)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 847, in do_pick_display
    return parse_display_name(error_cb, opts, extra_args[0], cmdline, find_session_by_name=find_session_by_name)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 495, in parse_display_name
    ssh = parse_ssh_option(opts.ssh)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 674, in parse_ssh_option
    import paramiko
  File "paramiko/__init__.pyc", line 22, in <module>
  File "paramiko/transport.pyc", line 132, in <module>
  File "paramiko/transport.pyc", line 206, in Transport
  File "paramiko/kex_curve25519.pyc", line 30, in is_available
  File "cryptography/hazmat/primitives/asymmetric/x25519.pyc", line 39, in generate
  File "cryptography/hazmat/backends/openssl/__init__.pyc", line 6, in <module>
  File "cryptography/hazmat/backends/openssl/backend.pyc", line 63, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 228, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 188, in init_static_locks
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 176, in _ensure_ffi_initialized
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 90, in _openssl_assert
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=126353445, lib=15, reason=524325, reason_text=b'error:07880025:common libcrypto routines::reason(524325)')])

[totaam]

Ah, so you're using an ssh connection.
For this one, add --ssh=ssh.

[creuzige]

That seems to work! Thanks!

[ShadowJonathan]

Same error, I have 4.4.3,1 installed together with openssl 3.0.7 (openssl@3) and 1.1.1s (openssl@1.1)

appending --ssh=ssh --ssh-upgrade=no to my attach command seems to work for me.

[SpideyPro]

Thank you for this solution!! I have spent a lot of time trying to understand what was going on.

I know enough stuff to get in trouble, as I like to say. I'm completely new to xpra and like the concepts behind it.
Currently I've been exploring it for remote access to a Debian server via macOS Monterey.

If possible, could you explain what the --ssh=ssh --ssh-upgrade=no applies to?
I've tried searching the man pages for xpra, ssh and openssl with no luck.

Many thanks for your time and help!

[ShadowJonathan]

the options apply to when you launch xpra from the command line, with xpra attach or xpra launch andsuch

[totaam]

If possible, could you explain what the --ssh=ssh --ssh-upgrade=no applies to?

Contrary to what is said above, these options should apply to every xpra subcommand you can run. Though obviously, this is only relevant in the cases where ssh is going to be used.
The first one specifies which ssh command to use, I have updated the man page in the commit above to clarify things a bit.
The second is only relevant to servers and allows TCP sockets to be used for ssh connections, more info here: https://github.com/Xpra-org/xpra/blob/master/docs/Network/SSH.md

[daleworley]

This link is to an instance of the problem see on MacOS 12.6.1 (Monterey):
https://xpra.org/list/2022-December/002955.html

[daleworley]

OK, the above fixes worked for me (on Monterey). In particular, this command worked:
xpra attach --ssh-upgrade=no --ssh=ssh ssh://10.0.0.224:20802/20
That is, SSH connect to host 10.0.0.224 port 20802, using the current user's user name, accessing the Xpra server on display 20.

[eblanton]

We have encountered this bug trying to deploy xpra for students to use for remote access.

Is there a reason that using the system system ssh isn't default? It's superior in almost every way (paramiko ignores .ssh/config, the running ssh key agent, existing control sockets, etc.) in our experience using Xpra. I have been putting ssh=ssh in my xpra.conf on all systems for some time now. I understand that some systems may not have an ssh binary, but (essentially) all Linux/BSD/Mac hosts should. Is paramiko buying xpra something that we just haven't noticed?

[totaam]

@eblanton :

Is there a reason that using the system system ssh isn't default?

Many.
paramiko is used as a library which allows us to integrate its events and callbacks as dialogs, unlike ssh where we just execute a binary and hope for the best - and timeout if it takes too long.
It is also available on all supported platforms, unlike openssh which isn't usable as a subprocess on win32 - and it is also better than putty / plink.

paramiko ignores .ssh/config

No it does not. That would be a bug.

xpra/xpra/net/ssh/paramiko_client.py

Lines 161 to 170 in 5269aff

	def safe_lookup(config_obj, host):
	try:
	return config_obj.lookup(host)
	except ImportError as e:
	log("%s.lookup(%s)", config_obj, host, exc_info=True)
	log.warn(f"Warning: unable to load SSH host config for {host!r}:")
	log.warn(f" {e}")
	if isinstance(e, ModuleNotFoundError):
	log.warn(" (looks like a 'paramiko' distribution packaging issue)")
	return {}

the running ssh key agent

It does support agents: https://docs.paramiko.org/en/stable/api/agent.html
Including agent forwarding: #2303

existing control sockets

This one is not supported yet

[eblanton]

OK -- then I guess i need to file bugs that paramiko doesn't do any of those things on any system I use.

[totaam]

@eblanton Please include -d ssh in the bug reports.
It could be a problem with the packaging which may be missing some bits on MacOS - as the packaging tools are a real pain to work with.

[eblanton]

I've dug a little bit, and I think the problem is actually that Paramiko doesn't support ProxyJump; between not supporting ProxyJump and not supporting ControlMaster, the behavior without dumping debug information appears as if it's ignoring .ssh/config for the hosts I'm using (because it's ignoring the two relevant config options), by coincidence. I'm filing an Xpra bug (#3745) since Paramiko is default for Xpra and seems to be preferred, but I'll be digging to see if I need to file a Paramiko feature request in the meantime.

This is a problem with no macOS hosts anywhere in sight.

[rrama]

I got a slightliy different trace and the suggested workarounds didn't work.

I have tried running both:
xpra --ssh=ssh --ssh-upgrade=no gui and xpra --ssh=ssh --ssh-upgrade=no launcher.
I have also tried directly opening a .xpra file with the following lines at the bottom:

ssh=ssh
ssh-upgrade=no

I have screenshotted the error, since I don't seem to be able to copy & paste it.

Specs:
MacBook Pro with Apple M1 Max running macOS 13.1
Xpra Client 4.4.3

[totaam]

@kcleal Ah, MacOS "features" strike again: the OS doesn't handle config files as arguments so we construct the window using the default config before being able to load the file specified at some point afterwards.
You may be able to set the defaults this way instead:

echo "ssh=ssh" >> ~/.xpra/xpra.conf
echo "ssh-upgrade=no" >> ~/.xpra/xpra.conf

Another potential workaround would be to nuke the Xpra.app/Contents/Resources/lib/python/paramiko directory.

[totaam]

None of the workarounds should be needed with the latest releases.